Closed arunsai271 closed 2 years ago
Currently, freetype 2.12.1 is in the edge main repo. You can upgrade it by running this command
apk upgrade freetype --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
@mitchellmaler Tried with the suggested command, but still it is pulling 2.11 version. Please help
Note: I cannot upgrade my alpine OS to Edge in Production, since we know Edge is like Beta version and not supposed to use in production.
OS Details:
/ # cat /etc/os-release NAME="Alpine Linux" ID=alpine VERSION_ID=3.15.4 PRETTY_NAME="Alpine Linux v3.15" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/" / #
upgradation:
/ # apk upgrade freetype --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz OK: 6 MiB in 14 packages
Details after upgrading:
/ # apk search | grep freetype freetype-2.11.1-r1 freetype-dev-2.11.1-r1 freetype-doc-2.11.1-r1 freetype-static-2.11.1-r1 / #
You most likely need to remove the old freetype version first
apk del freetype && apk add --upgrade freetype --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
@mitchellmaler Thank you, the command is working. But in the same way i tried to upgrade openjdk8-jre which internally use freetype. openjdk8-jre 8.302 uses freetype 2.11 so I want to upgrade to openjdk-jre 8.312 which use internally freetype 2.12. But in this case still openjdk-jre 8.312 is pulling freetype 2.11 version but i want it to pull freetype 2.12 version. Can you please suggest how to achieve it? Because still my vulnerability scanner tool is picking freetype 2,11 issue.
/ # apk update fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz v3.15.4-124-ga85ef407d0 [https://dl-cdn.alpinelinux.org/alpine/v3.15/main] v3.15.4-128-gcc1b3f7211 [https://dl-cdn.alpinelinux.org/alpine/v3.15/community] OK: 15857 distinct packages available
/ # apk del openjdk8-jre && apk add --upgrade openjdk8-jre --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community OK: 6 MiB in 14 packages fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz (1/51) Upgrading libcrypto1.1 (1.1.1n-r0 -> 1.1.1o-r0) (2/51) Upgrading libssl1.1 (1.1.1n-r0 -> 1.1.1o-r0) (3/51) Upgrading zlib (1.2.12-r0 -> 1.2.12-r1) (4/51) Installing expat (2.4.7-r0) (5/51) Installing brotli-libs (1.0.9-r5) (6/51) Installing libbz2 (1.0.8-r1) (7/51) Installing libpng (1.6.37-r1) (8/51) Installing freetype (2.11.1-r1) (9/51) Installing libuuid (2.37.4-r0) (10/51) Installing fontconfig (2.13.1-r4) (11/51) Installing encodings (1.0.5-r0) (12/51) Installing libfontenc (1.1.4-r0) (13/51) Installing mkfontscale (1.2.1-r1) (14/51) Installing ttf-dejavu (2.37-r1) (15/51) Installing libxau (1.0.9-r0) (16/51) Installing libmd (1.0.3-r0) (17/51) Installing libbsd (0.11.3-r1) (18/51) Installing libxdmcp (1.1.3-r0) (19/51) Installing libxcb (1.14-r2) (20/51) Installing libx11 (1.7.2-r0) (21/51) Installing libxcomposite (0.4.5-r0) (22/51) Installing libxext (1.3.4-r0) (23/51) Installing libxi (1.8-r0) (24/51) Installing libxrender (0.9.10-r3) (25/51) Installing libxtst (1.2.3-r3) (26/51) Installing alsa-lib (1.2.5.1-r1) (27/51) Installing libgcc (10.3.1_git20211027-r0) (28/51) Installing giflib (5.2.1-r0) (29/51) Installing libjpeg-turbo (2.1.2-r0) (30/51) Installing libstdc++ (10.3.1_git20211027-r0) (31/51) Installing openjdk8-jre-lib (8.312.07-r0) (32/51) Installing java-common (0.5-r0) (33/51) Installing libffi (3.4.2-r1) (34/51) Installing p11-kit (0.24.0-r1) (35/51) Installing libtasn1 (4.18.0-r0) (36/51) Installing p11-kit-trust (0.24.0-r1) (37/51) Installing ca-certificates (20211220-r0) (38/51) Installing java-cacerts (1.0-r1) (39/51) Installing nspr (4.32-r0) (40/51) Installing sqlite-libs (3.36.0-r0) (41/51) Installing nss (3.78-r0) (42/51) Installing krb5-conf (1.0-r2) (43/51) Installing libcom_err (1.46.4-r0) (44/51) Installing keyutils-libs (1.6.3-r0) (45/51) Installing libverto (0.3.2-r0) (46/51) Installing krb5-libs (1.19.3-r0) (47/51) Installing lcms2 (2.12-r1) (48/51) Installing pcsc-lite-libs (1.9.4-r0) (49/51) Installing liblksctp (1.0.19-r0) (50/51) Installing openjdk8-jre-base (8.312.07-r0) (51/51) Installing openjdk8-jre (8.312.07-r0) Executing busybox-1.34.1-r5.trigger Executing fontconfig-2.13.1-r4.trigger Executing mkfontscale-1.2.1-r1.trigger Executing java-common-0.5-r0.trigger Executing ca-certificates-20211220-r0.trigger OK: 106 MiB in 62 packages
/ # apk search | grep freetype freetype-2.11.1-r1 freetype-dev-2.11.1-r1 freetype-doc-2.11.1-r1 freetype-static-2.11.1-r1 / #
@mitchellmaler any update please on how to resolve?
It seems to me that nginx:mainline-alpine
currently Alpine Linux v3.15.4, is according to a Grype-scan still vulnerable to:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
curl 7.80.0-r0 7.80.0-r1 apk CVE-2022-22576 Unknown
curl 7.80.0-r0 7.80.0-r1 apk CVE-2022-27775 Unknown
curl 7.80.0-r0 7.80.0-r1 apk CVE-2022-27776 Unknown
curl 7.80.0-r0 7.80.0-r1 apk CVE-2022-27774 Unknown
freetype 2.11.1-r0 apk CVE-2022-27405 High
freetype 2.11.1-r0 2.11.1-r1 apk CVE-2022-27404 Critical
freetype 2.11.1-r0 apk CVE-2022-27406 High
libcurl 7.80.0-r0 7.80.0-r1 apk CVE-2022-22576 Unknown
libcurl 7.80.0-r0 7.80.0-r1 apk CVE-2022-27774 Unknown
libcurl 7.80.0-r0 7.80.0-r1 apk CVE-2022-27775 Unknown
libcurl 7.80.0-r0 7.80.0-r1 apk CVE-2022-27776 Unknown
libgd 2.3.2-r1 apk CVE-2021-38115 Medium
libgd 2.3.2-r1 apk CVE-2021-40812 Medium
libgd 2.3.2-r1 apk CVE-2021-40145 High
libxml2 2.9.13-r0 2.9.14-r0 apk CVE-2022-29824 Medium
xz-libs 5.2.5-r0 5.2.5-r1 apk CVE-2022-1271 Unknown
Hi @mitchellmaler /Team, any updates on the solution, please? sorry to bother but since it is a security-related concern, it is a priority for us. If we get a new alpine 3.15.5 version Image with all these fixes, it would solve all our problems with hassle-free.
Hi @mitchellmaler we're also having issues concerning this. Is there a plan to release a new version without the freetype vulnerability, or is docker-alpine no longer in support? Thanks!
Hi all, we're also getting the same issue:
Total: 1 (CRITICAL: 1)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| freetype | CVE-2022-27404 | CRITICAL | 2.11.1-r0 | 2.11.1-r1 | FreeType: Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27404 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Which is also blocking us from deploying.
This is technically wrong place to report issues with freetype since alpine docker base image does not include freetype. https://gitlab.alpinelinux.org/alpine/aports/-/issues would be better.
That said, I backported fixes for CVE-2022-27405, CVE-2022-27406 in freetype-2.11.1-r2
.
see alpinelinux/aports@2cac7499017def246acff43ed3bec6e9e857c240
Hi all, we're also getting the same issue:
Total: 1 (CRITICAL: 1) +----------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------+------------------+----------+-------------------+---------------+---------------------------------------+ | freetype | CVE-2022-27404 | CRITICAL | 2.11.1-r0 | 2.11.1-r1 | FreeType: Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27404 | +----------+------------------+----------+-------------------+---------------+---------------------------------------+
Which is also blocking us from deploying.
The docker image that pulls in freetype needs to be rebuilt. I don't know which image that is in your case, but I know for sure its not the alpine base image.
If we get a new alpine 3.15.5 version Image with all these fixes, it would solve all our problems with hassle-free.
alpine base image does not include freetype so it would not really solve anything. I cannot bump version number of the base package every time any package in any repository gets a security update. I do create new release when the bas image itself has vulnerable packages (openssl, apk-tools, zlib, busybox).
@ncopa Thank you for updating, I will move to Debian OS images.
@ncopa Thanks for your mention. I checked, in my case it is comping from openjdk11 with almost 6 lib that is vulnerable and not fixed by updating jdk or upgrading java version. please correct me for any mistake and suggest any other OS image that will not download vul lib with openjdk11.
@ncopa Thanks for your mention. I checked, in my case it is comping from openjdk11 with almost 6 lib that is vulnerable and not fixed by updating jdk or upgrading java version. please correct me for any mistake and suggest any other OS image that will not download vul lib with openjdk11.
Do you have the list of CVEs and/or packages that are vulnerable?
Security checks for new builds are passing now, thanks!
@ncopa RUN apk update && \ apk add openjdk11 && \ apk add --no-cache bash && \ apk add curl
RUN apk add --update oniguruma && \ apk add --update libx11
RUN apk add --update curl && rm -rf /var/cache/apk/* RUN apk add jq
freetype giflib ncurses-libs ncurses-terminfo-base lcms2
In alpine 3.15.4 version image, the max supported freetype version is 2.11, but in order to resolve the CVE-2022-27405, CVE-2022-27406 issues the alpine 3.15.4 version should support Freetype 2.12 version. We can see here at https://gitlab.alpinelinux.org/alpine/aports/-/issues/13777 that the same request to upgradation is taken care and changes are merged into master branch. kindly can you please let us know when these changes will be available as patch fix in 3.15.4 version docker image ?